-
Attempt
01 -
Marks Obtained
0 / 55 -
Your score
0.0% -
Time Taken
00 H 00 M 02 S -
Result
Failed
| No | Domain | Total Question | Correct | Incorrect | Unattempted | Marked as Review |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A company currently has an on-premise network. They have an Active directory domain defined as whizlab.com. They recently purchased an Azure AD tenant and now want to synchronize users from their on-premise Active Directory domain to Azure AD. They also want to enable single-sign on the users.
The company decides to setup Active Directory Federation Services and setup a sync with Azure AD.
Would this fulfil the requirement?
Answer – A
Yes, you can use Active Directory Federation services as well. This is also mentioned in the Microsoft documentation
For more information on hybrid identity, please visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity
A company currently has an on-premise network. They have an Active directory domain defined as whizlab.com. They recently purchased an Azure AD tenant and now want to synchronize users from their on-premise Active Directory domain to Azure AD. They also want to enable single-sign on the users.
The company decides to setup an Active Directory domain on a set of servers in a Virtual Network. They then develop a sync strategy with Azure AD.
Would this fulfil the requirement?
Answer – B
Here the primary purpose is to sync on-premise users with Azure AD and not setup a separate domain environment in Azure.
For more information on hybrid identity, please visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity
A company currently has an on-premise network. They have an Active directory domain defined as whizlab.com. They recently purchased an Azure AD tenant and now want to synchronize users from their on-premise Active Directory domain to Azure AD. They also want to enable single-sign on the users.
The company decides to install Azure AD Connect with pass-through authentication. They then configure Single-Sign in Azure AD Connect.
Would this fulfil the requirement?
Answer – A
Azure AD connect is a tool that can be used to sync on-premise AD users with Azure AD.
Below is the diagram from the Microsoft documentation that showcases this.
You can also combine this with Single Sign-On as mentioned below.
For more information on pass through authentication, please visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
A company is planning on storing database backups onto Azure. These backups will be individual .bak files. The files need to be stored for compliance reasons. Most likely the data backups will never be used for recovery purposes. You have to decide on which solution to use for the backup data. You have to minimize on costs.
Answer – B
Using BLOB storage for storing files and objects is ideal. You can use the Archive tier to save on storage costs for objects that are not retrieved. The Microsoft documentation mentions the following
Option A is incorrect since this is a SQL data store and should not be used to file based backups.
Option C is incorrect since using the Archive tier would be a more cost-effective option
Option D is incorrect since this is used when using the Azure Backup and Site Recovery service
For more information on the different storage tiers, please visit the below URL
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers
A company has deployed a web-based application based on the following architecture
The company now wants to implement an active-active configuration. Which of the following needs to be done for this requirement?
Answer – D
You can change the routing method for the Traffic Manager to the Priority routing method for implementing failover. The Microsoft documentation mentions the following on the routing method.
The other options are incorrect since Load balancer cannot divert traffic across regions
For more information on Azure Traffic Manager routing methods, please visit the below URL
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods
A company has deployed a web-based application based on the following architecture
The company needs to control the threshold for the failover to the standby region. Which of the following needs to be done for this to happen?
Answer – D
Since we are going to be using the Azure Traffic Manager, we can use the Endpoint monitor settings for the Traffic Manager. The Microsoft documentation mentions the following
Since the other settings are not applicable to Azure Traffic Manager, hence the options are incorrect
For more information on Azure Traffic Manager endpoint monitoring, please visit the below URL
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring
A team is planning on deploying Azure resources by using Resource Manager templates. The templates need to reference secrets that are stored in Azure Key vault. You need to ensure deployments can be made accordingly.
Which of the following would you need to enable in the Azure key vault to ensure the templates can reference the secrets stored in the vault?
Answer – D
This is clearly given in the documentation. In order for Resource Manager templates to access Azure Key vault , you need to enable the setting in the Advanced policy section for the Key vault.
Since this is clearly given in the documentation, all other options are invalid
For more information on using the Azure Key vault from Resource Manager templates, please visit the below URL
A team is planning on deploying Azure resources by using Resource Manager templates. The templates need to reference secrets that are stored in Azure Key vault. You need to ensure deployments can be made accordingly.
Which of the following would you use to restrict access to the secrets in the key vault?
Answer – A
Since the question here is referring to restrict access to the secrets in the key vault, we have to work with "Access policies for the Key vault" reason RBAC controls only the management plane, where as access policies control the data plane.
For more information on accessing secrets from Resource Manager templates, please visit the below URL
https://docs.microsoft.com/en-us/azure/key-vault/general/overview-security
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-keyvault-parameter
A company has deployed an API using the API management service. They want to add an OAuth2 service as shown below
Which of the following is the application/authentication type for which the authorization grant is being used for?
Answer – D
An example is given in the Microsoft documentation which showcases registering 2 web applications along with the OAuth2 service.
Since this is clearly showcased in the Microsoft documentation, all other options are invalid
For more information on the example itself, please visit the below URL
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
A company has deployed an API using the API management service. They want to add an OAuth2 service as shown below
In order to enable custom data in the grant flow, which of the following should be used to make this happen?
Answer – D
The support state parameter gives a chance for the application to persist data between the user and the application server. Below is what is mentioned in the documentation for OAuth2
Since this is clearly mentioned in the OAuth2 documentation, all other options are invalid
For more information on authorization code for server-side apps, please visit the below URL
https://www.oauth.com/oauth2-servers/server-side-apps/authorization-code/
A company named Whizlabs currently has an on-premise Active Directory Forest. They have recently setup an Azure AD tenant and also setup Azure AD Connect. They have currently procured Premium P1 licences.
Which of the following features could result in reducing the operational overhead when it comes to managing the user's credentials?
Answer – A and C
If users get locked or forget their password, you can use the self-service password reset with writeback option. This is also given in the Microsoft documentation. And these features are included as part of Premium P1 licences.
Option B is incorrect since this is only when you want to conduct reviews for existing users.
Option D is incorrect since this requires Premium P2 licensing
For more information on self-service password reset, please visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-licensing
A company is planning on migrating their on-premise Microsoft SQL servers to Azure. They need to have a solution in place to host their existing SQL Server Integration Services (SSIS) packages. Which of the following could be used for this purpose?
Answer – D
This is given in the Microsoft documentation wherein you can use a component from Azure Data Factory for hosting the packages
- Option A is incorrect since this is used to organize data sources in Azure
- Options B and C are incorrect since this is used to migrate data between SQL servers.
- For more information on hosting SSIS packages on Azure, please visit the below URL
A company currently has the following networks defined in Azure
|
Virtual Network name |
Subscription Name |
Virtual Network Type |
|
whizlabs-network1 |
subcriptionA |
Classic |
|
whizlabs-network2 |
subcriptionB |
Resource Manager |
|
whizlabs-network3 |
subcriptionC |
Resource Manager |
You have to ensure that resources in the virtual networks can communicate with each other. You have to reduce the administrative effort required for the implementation.
Which Virtual network topology would you recommend for this requirement?
Answer – C
You can create virtual network peering connections between Virtual networks in different subscriptions. You can also create virtual network peering connections between a Classic and Resource Manager Virtual Network. This is mentioned in the Microsoft documentation in the benefits for Virtual Network Peering.
Option A is incorrect since there is no peering connection between whizlabs-network1 and whizlabs-network3
Option B is incorrect since there is no peering connection between whizlabs-network1 and whizlabs-network3. There is also no connection between whizlabs-network2 and whizlabs-network3
Option D is incorrect since there is no peering connection between whizlabs-network2 and whizlabs-network3
For more information on Virtual Network peering, please visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
A company wants to deploy an application to Azure. The application has the below requirements
- Give the ability to install and provide access to the full .Net framework
- Allow administrative access to the operating system
- Provide a level of redundancy if an Azure region fails
You decide to deploy 2 Azure Virtual Machines in 2 separate regions. And then you create a Traffic Manager Profile
Does this solution meet the requirement?
Answer - A
Yes, this will meet all the requirements. Since you are using Azure Virtual Machines, IT administrators can get the required access. You can also then get the required access to the underlying software including the .Net framework.
Using a Traffic Manager profile along with the failover routing policy can ensure the requirement for redundancy is fulfilled.
For more information on Azure Traffic Manager, please visit the below URL
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview
A company wants to deploy an application to Azure. The application has the below requirements
- Give the ability to install and provide access to the full .Net framework
- Allow administrative access to the operating system
- Provide a level of redundancy if an Azure region fails
You decide to deploy a web app using the Isolated App Service plan
Does this solution meet the requirement?
Answer - B
The Isolated App Service Plan provides a dedicated infrastructure, but will not fulfil the key requirements
For more information on the Isolated App Service Plan, please visit the below URL
A company wants to deploy an application to Azure. The application has the below requirements
- Give the ability to install and provide access to the full .Net framework
- Allow administrative access to the operating system
- Provide a level of redundancy if an Azure region fails
You decide to deploy 2 Azure Virtual Machines in 2 separate regions. And then you create an Azure Load balancer
Does this solution meet the requirement?
Answer – B
A Load balancer can’t distribute traffic across regions and hence this solution will not meet the requirement for redundancy.
For more information on the Azure Load Balancer, please visit the below URL
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview
Answer – A
You can use the long-term retention feature as mentioned in the Microsoft documentation below
Since this is clearly mentioned in the Microsoft documentation, all other options are incorrect
For more information on database long term retention, please visit the below URL
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-long-term-retention
You need to recommend a solution for encrypting data at rest for the database. Which of the following would you recommend?
Correct Answer: Option A : Transparent Data encryption
The requirement is encrypt the data at rest for
?
- Option A: Transparent Data encryption
- Please refer to https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql#manage-transparent-data-encryption-by-using-transact-sql
This encryption is for data at Rest but can be managed by T-SQL
Manage transparent data encryption by using Transact-SQL
Connect to the database by using a login that is an administrator or member of the dbmanager role in the master database.
| Command | Description |
|---|---|
| ALTER DATABASE (Azure SQL Database) | SET ENCRYPTION ON/OFF encrypts or decrypts a database |
| sys.dm_database_encryption_keys | Returns information about the encryption state of a database and its associated database encryption keys |
| sys.dm_pdw_nodes_database_encryption_keys | Returns information about the encryption state of each data warehouse node and its associated database encryption keys |
You can't switch the transparent data encryption protector to a key from Key Vault by using Transact-SQL. Use PowerShell or the Azure portal.
- Option B: Always Encrypted
This is done on Column/Field of a table. All data in a particular field/column of a table within a database is encrypted.
So this is not the correct solution
- Option C: Azure Data Storage Encryption
This encryption is for data at Rest but can not be managed by T-SQL, hence wrong answer
- Option D: SSL Certificate
SSL is not for encryption of data at Rest and hence the wrong answer
Azure AD Connect will be installed to implement the synchronize the identities between Azure AD and the on-premise Active Directory. Which of the following would need to be configured in Azure AD Connect?
Answer – B
A key requirement for the case study is to ensure that the identities are authenticated via the on-premise AD, and this is done with Pass-through Authentication. The Microsoft documentation mentions the following.
Options A and C are incorrect since you don’t need to do a federation
Option D is incorrect since you need to implement Pass-through Authentication to ensure that identities are authenticated by the on-premise AD
You need to recommend an availability solution for the Web tier of the Financial Processing System application when it is moved to Azure. Which of the following would you recommend?
Answer – B
The case study calls for infrastructure availability if a region fails. This can be done with the Traffic Manager. For this you can use the priority routing method as stated below in the Microsoft documentation
The other options are incorrect since they cannot be used to perform disaster recovery if a region fails.
For more information on the Traffic Manager, please visit the below URL
https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview
You need to meet the following requirement of the case study
“Collect windows security logs from the Middle tier and retain the logs for 2 years”
Which of the following would you use for this purpose?
Answer – D
You can use Log Analytics to get event data from Virtual Machines. The Log Analytics workspace can also retain data indefinitely. The Microsoft documentation mentions the following
Option A is incorrect since this is only used for notifications
Option B is partially correct, but due to the aspect of the data being collected and the data retention required, you should choose Log Analytics
Option C is incorrect since this is used as a Big data ingestion service
For more information on collecting performance data, please visit the below URL
https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm
You need to recommend the right solution for configuring Multi-Factor Authentication in Azure.
Which of the following would you recommend for licensing in Azure?
Answer – D
To implement conditional access policies, you can opt for Premium P1 licences, but in our business scenario since we need to raise MFA request for suspicious action, and for this we need to work with AD Identity Protection Servic, and this is part of Premium licences P2 licences. The Microsoft documentation mentions the following
Options A and B are incorrect since these editions don’t give access to conditional access policies
Option C is incorrect since we need to work AD Identity Protection Service.
For more information on conditional access, please visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
You need to recommend the right solution for configuring Multi-Factor Authentication in Azure.
How would you address the access control for the sign-in risk policy?
Answer – A
Since the case study says to ensure that conditional access request for MFA, but still allow access we need to choose Option A. In the Grant section, ensure to choose the option of “Require multi-factor authentication”
Since this is clear from the implementation, all other options are incorrect
For more information on conditional access, please visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
You have to recommend a solution for catering to the high availability requirements for the middle tier of the Financial Processing system. Which of the following would you implement?
Answer – D
Since the requirement is for availability of middle tier, and working with Availability Zones is the correct option. By using this, even if one zone gets failed, availability of other zones is still available and the application is working. In this business scenario, we should ignore the SLA mentioned, reason SLA for AZ is 99.99%.
https://docs.microsoft.com/en-us/azure/availability-zones/az-overview
You need to manage secure access between the .Net service and the CosmosDB account.
What would the CosmosDB account be used for in such a scenario
Answer - B
The CosmosDB account will be used to create the users. The following code snippet from the Microsoft documentation mentions on how you can create CosmosDB account users
Next, if the CosmosDB account needs to be accessed,
CosmosDB would request for the right resource tokens to ensure that access could be granted. The Microsoft documentation also mentions an example workflow for a service that would make use of request tokens for CosmosDB
Since this is clearly given in the documentation, all other options are incorrect
For more information on secure access to CosmosDB, please visit the below URL
https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data
You need to manage secure access between the .Net service and the CosmosDB account.
What would the .Net service be used for in such a scenario?
Answer – C
The .Net service will be used to generate the resource tokens and perform the required authentication.
The Microsoft documentation also mentions an example workflow for a service that would make use of request tokens for CosmosDB
Since this is clearly given in the documentation, all other options are incorrect
For more information on secure access to CosmosDB, please visit the below URL
https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data
You have to recommend a strategy for the compute solution for the Financial Processing System. Which of the following would you recommend?
Answer – B
Since we need to cater to the below requirement of the case study
“The number of instances assigned to the front and middle tiers should be adjusted automatically based on the CPU utilization”
We have to use Virtual Machine scale sets for our compute solution. The Microsoft documentation mentions the following
Option A is incorrect since there is no mention of orchestrating docker containers for the application
Option C is incorrect since this is used for achieving high availability of the solution
Option D is incorrect since this is used for the Azure Web App service
For more information on virtual machine scale sets, please visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview
A company has an application running as part of Azure Web Apps. A database is being hosted in a Virtual Network. There is a requirement to ensure that the web app can access the database without the need of exposing a public endpoint.
You decide to implement Web jobs for the Azure Web App
Does this meet the requirement?
Answer – B
The Web jobs feature is used to run background tasks and hence cannot be used for this requirement
For more information on Web jobs, please visit the below URL
https://docs.microsoft.com/en-us/azure/app-service/webjobs-create
A company has an application running as part of Azure We Apps. A database is being hosted in a Azure SQL. There is a requirement to ensure that the web app can access the database without the need of exposing a public endpoint.
You decide to implement Hybrid connections for the Azure Web App
Does this meet the requirement?
Answer – B
The Hybrid connection is normally used to connect to a single TCP host and port combination. Since Azure SQL does not provide an IP address or Port number, it will not work.
For more information on App Service Hybrid connections, please visit the below URL
https://docs.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections
A company has an application running as part of Azure We Apps. A database is being hosted in a Virtual Network. There is a requirement to ensure that the web app can access the database without the need of exposing a public endpoint.
You decide to implement VNET Integration for the Azure Web App
Does this meet the requirement?
Answer – A
This is the ideal solution. The Microsoft documentation mentions the following
For more information on integrating an app using VNET integration, please visit the below URL
A company is planning on deploying the following set of resources to Azure
- A set of virtual machines hosting an internal application
- An Azure Web app used for hosting a production-based application
The company has the following monitoring requirements.
- Understand the failures and performance issues for the application hosted in the Azure Web App service
- The IT Admin staff should be notified if any infrastructure level changes are made to the Virtual Machine
- Be informed if there are any issues with the underlying Azure services.
Which of the following would be best suited to fulfil the requirement?
“Understand the failures and performance issues for the application hosted in the Azure Web App service”
Answer – B
You can use Application Insights for this purpose. This is also given in the Microsoft documentation
Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on Application Insights, please visit the below URL
https://docs.microsoft.com/en-us/azure/azure-monitor/app/devops
A company is planning on deploying the following set of resources to Azure
- A set of virtual machines hosting an internal application
- An Azure Web app used for hosting a production-based application
The company has the following monitoring requirements.
- Understand the failures and performance issues for the application hosted in the Azure Web App service
- The IT Admin staff should be notified if any infrastructure level changes are made to the Virtual Machine
- Be informed if there are any issues with the underlying Azure services.
Which of the following would be best suited to fulfil the requirement?
“The IT Admin staff should be notified if any infrastructure level changes are made to the Virtual Machine”
Answer – C
This can be done with Azure Monitor alerts. The following is mentioned in the Microsoft documentation.
Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on Activity Log alerts, please visit the below URL
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-activity-log
A company is planning on deploying the following set of resources to Azure
- A set of virtual machines hosting an internal application
- An Azure Web app used for hosting a production-based application
The company has the following monitoring requirements.
- Understand the failures and performance issues for the application hosted in the Azure Web App service
- The IT Admin staff should be notified if any infrastructure level changes are made to the Virtual Machine
- Be informed if there are any issues with the underlying Azure services.
Which of the following would be best suited to fulfil the requirement?
“Be informed if there are any issues with the underlying Azure services.”
Answer – D
Azure Service Health is the service that should be used. The following is mentioned in the Microsoft documentation.
Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on Azure Service Health, please visit the below URL
A company is going to be deploying an Azure SQL Database instance to the Central US region. They have the following requirements when it comes to the security for the database instance
- Only select workstations with static Public IP addresses should be allowed to connect and perform administration on the database
- An Application hosted in a Virtual Network on a Virtual machine would need to interact with the Azure SQL database
A function is implemented which hides the Social Security Numbers column in the Person table in the database
Which of the following would be best suited to fulfil the requirement?
“Only select workstations with static Public IP addresses should be allowed to connect and perform administration on the database”
Answer - B
You can use as shown in the Microsoft documentation below
Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on configuring the firewall for Azure SQL database, please visit the below URL
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure
A company is going to be deploying an Azure SQL Database instance to the Central US region. They have the following requirements when it comes to the security for the database instance
- Only select workstations with static Public IP addresses should be allowed to connect and perform administration on the database
- An Application hosted in a Virtual Network on a Virtual machine would need to interact with the Azure SQL database
A function is implemented which hides the Social Security Numbers column in the Person table in the database
Which of the following would be best suited to fulfil the requirement?
“An Application hosted in a Virtual Network on a Virtual machine would need to interact with the Azure SQL database securely”
Answer – C
By using Virtual Network Service Endpoints, you can ensure that traffic from the Virtual Network can reach the Azure SQL database via the Azure Backbone network. The Microsoft documentation mentions the following
Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on virtual network service endpoints, please visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
A company is going to be deploying an Azure SQL Database instance to the Central US region. They have the following requirements when it comes to the security for the database instance
- Only select workstations with static Public IP addresses should be allowed to connect and perform administration on the database
- An Application hosted in a Virtual Network on a Virtual machine would need to interact with the Azure SQL database
- A function is implemented which hides the Social Security Numbers column in the Person table in the database
Which of the following would be best suited to fulfil the requirement “A function is implemented which hides the Social Security Numbers column in the Person table in the database”?
Answer – B
This can be managed by using Dynamic Data masking. The Microsoft documentation mentions the following
Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on dynamic data masking in SQL database, please visit the below URL
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-dynamic-data-masking-get-started
A company is planning on hosting a set of servers in Azure. Some of these servers will run SQL Server 2016. These servers will be deployed to different data centers in the same Azure region. These will be part of an Always On availability group
The data on the servers will be backed up by using the SQL IaaS Agent Extension
Below are the key requirements for the storage for the different components of the Virtual Machine
- Operating System - Speed and availability for the storage priority
- Database and logs - Speed and availability for the storage priority
- Backups - This should use the lowest cost option for storage
You have to decide what is the ideal storage requirement for each component
Which of the following would you implement for the Operating System?
Answer – B
Make use of premium storage for high performance. Below is what the Microsoft documentation mentions
Option C is incorrect since Standard storage offers less faster access than Premium storage
The Microsoft documentation mentions that we should not use geo-redundant storage accounts for SQL Servers as mentioned below. So, options A and D are incorrect.
For more information on SQL performance on VM’s and Premium storage, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/premium-storage
A company is planning on hosting a set of servers in Azure. Some of these servers will run SQL Server 2016. These servers will be deployed to different data centers in the same Azure region. These will be part of an Always On availability group
The data on the servers will be backed up by using the SQL IaaS Agent Extension
Below are the key requirements for the storage for the different components of the Virtual Machine
- Operating System - Speed and availability for the storage priority
- Database and logs - Speed and availability for the storage priority
- Backups - This should use the lowest cost option for storage
You have to decide what is the ideal storage requirement for each component
Which of the following would you implement for the Database and Logs?
Answer – B
Make use of premium storage for high performance. Below is what the Microsoft documentation mentions
Option C is incorrect since Standard storage offers less faster access than Premium storage
The Microsoft documentation mentions that we should not use geo-redundant storage accounts for SQL Servers as mentioned below. So, options A and D are incorrect.
For more information on SQL performance on VM’s and Premium storage, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/premium-storage
A company is planning on hosting a set of servers in Azure. Some of these servers will run SQL Server 2016. These servers will be deployed to different data centers in the same Azure region. These will be part of an Always On availability group
The data on the servers will be backed up by using the SQL IaaS Agent Extension
Below are the key requirements for the storage for the different components of the Virtual Machine
- Operating System - Speed and availability for the storage priority
- Database and logs - Speed and availability for the storage priority
- Backups - This should use the lowest cost option for storage
You have to decide what is the ideal storage requirement for each component
Which of the following would you implement for the Backups?
Answer - C
With Standard Disks, you can achieve lower costs as mentioned below in the Microsoft documentation
The Microsoft documentation mentions that we should not use geo-redundant storage accounts for SQL Servers as mentioned below. So, options A and D are incorrect.
For more information on Standard storage, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/standard-storage
A team has just setup an Azure SQL database. They are planning on enabling the diagnostics for the underlying Azure SQL server as shown below
What is the amount of time SQLInsights data will be stored in BLOB storage?
Answer – B
Since the retention for SQLInsights is specified as 90 days , hence the data will be stored for that duration of time.
Since this is clear from the above representation, all other options are incorrect
For more information on SQL Server database metrics, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-metrics-diag-logging
A team has just setup an Azure SQL database. They are planning on enabling the diagnostics for the underlying Azure SQL server as shown below
What is the maximum amount of time that SQLInsights data can be stored in Azure Log Analytics?
Answer – D
The limit for storing data is 730 days.
https://docs.microsoft.com/en-us/azure/azure-monitor/app/data-retention-privacy
A company has an Azure subscription named whizlab. The subscription contains resources for an application named whizlab-app. An Azure AD group named whizlab-admin is in place to manage the resources assigned to the application.
The company now wants to deploy a new application named whizlab-app-staging. The development team for the application will be part of a new Azure AD group called whizlab-dev.
The company has the following requirements
- The members of the whizlab-dev group should be able to create resource in Azure which are required by the whizlab-app-staging application
- The members of the whizlab-dev group should not be able to make any changes to the role assignments in Azure
- The role assignments for the whizlab-app-staging application should be performed by the members of the whizlab-admin group
You decide to implement the following solution
Create a new Azure subscription named whizlab-app-staging. Assign the whizlab-admin group as the Owner of the new subscription. Assign the Contributor role to the whizlab-dev group for the subscription
Does this fulfil the requirement?
Answer – A
Yes, this is one possible isolation of resources. You have the resources in different subscriptions.
Assigning the Owner privilege for the whizlab-admin group would fulfil the requirement of “The role assignments for the whizlab-app-staging application should be performed by the members of the whizlab-admin group”
Assigning the contributor role to the whizlab-dev group will ensure the below constraint is met, “The members of the whizlab-dev group should not be able to make any changes to the role assignments in Azure”
For more information on organizing subscriptions, please go ahead and visit the below URL
A company has an Azure subscription named whizlab. The subscription contains resources for an application named whizlab-app. An Azure AD group named whizlab-admin is in place to manage the resources assigned to the application.
The company now wants to deploy a new application named whizlab-app-staging. The development team for the application will be part of a new Azure AD group called whizlab-dev.
The company has the following requirements
- The members of the whizlab-dev group should be able to create resource in Azure which are required by the whizlab-app-staging application
- The members of the whizlab-dev group should not be able to make any changes to the role assignments in Azure
- The role assignments for the whizlab-app-staging application should be performed by the members of the whizlab-admin group
You decide to implement the following solution
Create a new Azure subscription named whizlab-app-staging. Assign the whizlab-admin group the User Access Administrator role for the new subsription. Assign the Owner role to the whizlab-dev group for the subscription
Does this fulfil the requirement?
Answer – B
Here the role assignments are incorrect.
Assigning the User Access Administrator role to the whizlab-admin group will not enable the assignment of roles
Assigning the Owner role to the whizlab-dev group will break the requirement of “The members of the whizlab-dev group should not be able to make any changes to the role assignments in Azure”
For more information on in-built access roles, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
A company has an Azure subscription named whizlab. The subscription contains resources for an application named whizlab-app. An Azure AD group named whizlab-admin is in place to manage the resources assigned to the application.
The company now wants to deploy a new application named whizlab-app-staging. The development team for the application will be part of a new Azure AD group called whizlab-dev.
The company has the following requirements
- The members of the whizlab-dev group should be able to create resource in Azure which are required by the whizlab-app-staging application
- The members of the whizlab-dev group should not be able to make any changes to the role assignments in Azure
- The role assignments for the whizlab-app-staging application should be performed by the members of the whizlab-admin group
You decide to implement the following solution
Create a new resource group named whizlab-app-staging in the current subscription. Assign the whizlab-admin group as the Owner of resource group. Assign the Contributor role to the whizlab-dev group for the subscription.
Does this fulfil the requirement?
Answer – A
The best solution is to create a new resource group for the resources for the whizlab-app-staging application. You can then go to IAM for the resource group and assign the Owner privilege for the whizlab-admin group. This will fulfil the requirement of “The role assignments for the whizlab-app-staging application should be performed by the members of the whizlab-admin group”
Assigning the contributor role to the whizlab-dev group will ensure the below constraint is met, “The members of the whizlab-dev group should not be able to make any changes to the role assignments in Azure”
For more information on in-built access roles, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Your company has a set of VMware virtual machines that need to be migrated onto Azure. As the architect you have to present an estimation on the cost for the migrating the machines onto Azure. You plan to use the Azure Migrate assessment tool for this. Which of the following costs would be given as part of the assessment tool? Choose 2 answers from the options given below
Answer – C and D
This is given in the Microsoft documentation. The assessment tool would give the Compute and storage costs as shown below.
Since this is clearly mentioned in the Microsoft documentation, all other options are incorrect
For more information on the assessment tool, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/migrate/tutorial-assessment-vmware
A company has just setup an Azure subscription and an Azure AD tenant. The company wants to enforce the following requirements
- Virtual Machines should only be created in specific regions
- Only Virtual Machines of specific sizes can be created
Which of the following would you use for this requirement?
Answer – B
This can be done with the help of Azure Policies. The Microsoft documentation mentions the following
Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on Azure policies, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/governance/policy/overview
A company has setup an Azure subscription and an Azure tenant. You need to provide the development team to be able to start and stop Virtual Machines. The access needs to be granted for time-bound period.
You need to ensure the permission gets assigned for a period of start and end dates and use the principle of least privilege. You also need to minimize costs.
Which of the following would you use for the Azure AD license?
Answer – D
Assign time-bound access to resources using start and end dates feature is available only in PIM of Azure AD. which is available in Premium P2 edition.
Premium P2 license : https://azure.microsoft.com/en-in/pricing/details/active-directory/
time-bound access to resources using start and end dates: https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-configure
For this requirement, we need to use Privileged Identity Management and for this we need to have Premium P2 licences.
Because of the license requirements mentioned in the documentation, the other options are incorrect
A company has setup an Azure subscription and an Azure tenant. You need to provide the development team to be able to start and stop Virtual Machines. The access needs to be granted on specific occasions only.
You need to ensure the permission gets assigned and use the principle of least privilege. You also need to minimize costs.
Which of the following security feature would you use for the requirement?
Answer – D
With Privileged Identity Management, you can implement just in time privileges for Azure resources.
Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on Privileged Identity Management, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
A team has a .Net application that needs to run on a Virtual machine. The application on the Virtual machine must authenticate using the same Azure AD Identity.
Which of the following would be done to provision the Azure AD Identity?
Answer – A
Here we can simply use a system assigned Managed Service Identity. This can be done for the Virtual machine. The Microsoft documentation mentions the following
Option D is incorrect since we just have a single virtual machine that needs an identity provisioned in Azure AD.
Options B and C are incorrect because you need to use Managed service identities.
For more information on Managed service identities, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
A team has a .Net application that needs to run on a Virtual machine. The application on the Virtual machine must authenticate using the same Azure AD Identity.
In order to generate a request token, which of the following would be used?
Answer – D
To generate the token, you have to use the Azure Instance Metadata Service Identity. The workflow is also given in the Microsoft documentation
Since this is clearly given in the Microsoft documentation, all other options are incorrect
For more information on Managed service identities, please go ahead and visit the below URL
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
A company is developing an application that will consist of different modules. The different modules need to communicate asynchronously with each other. Which of the following is the ideal service to use for this requirement?
Answer – D
Azure Queue Storage is the perfect solution for decoupling components of an application. The Microsoft documentation mentions the following on Azure Queue storage
Option A is incorrect because this is ideal for table storage
Option B is incorrect because this is a notification service
Option C is incorrect because this is ideal for object level storage
For more information on Azure queue storage, please go ahead and visit the below URL
A team has an Azure CosmosDB account. A solution needs to be in place to generate an alert from Azure Log Analytics when a query request charge exceeds 40 units more than 10 times during a 10-minute window. Which of the following would you recommend? Choose 2 answers from the options given below
Answer - A and D
If you look at the table for the log entries in Azure Log Analytics, you can see that in order to monitor the request unit rate, we have to check for the requestCharge_s log entry.
You can then generate alerts in Azure Monitor based on the period and frequency
Option B is incorrect since the question states to check if the request charge exceeds 40 units
Option C is incorrect since this is the wrong metric to monitor
For more information on CosmoDB logging, please go ahead and visit the below URL
Your team needs to deploy a Virtual machine that will host a SQL Server. The Virtual machine will have 2 data disks, one for the log file and the other for the data files. You need to recommend a caching policy for each disk
Which of the following would you recommend for the data disk containing the logs?
Answer – A
This is clearly mentioned in the Microsoft documentation
Since this is clearly mentioned, all other options are incorrect
For more information on the performance guidelines for SQL Server on Virtual Machines, please go ahead and visit the below URL
Your team needs to deploy a Virtual machine that will host a SQL Server. The Virtual machine will have 2 data disks, one for the log file and the other for the data files. You need to recommend a caching policy for each disk
Which of the following would you recommend for the data disk containing the data?
Answer – B
This is clearly mentioned in the Microsoft documentation
Since this is clearly mentioned, all other options are incorrect
For more information on the performance guidelines for SQL Server on Virtual Machines, please go ahead and visit the below URL
A company needs to move a web application onto Azure. Below are the main requirements for the application
- The application must be available to users even if an Azure data center becomes unavailable.
- Costs must be minimized.
Which of the following would you recommend?
Answer - D
A Data center corresponds to the concept of availability zones.
The Microsoft documentation mentions the following with respect to availability sets
All other options are invalid, since you need to minimize on costs, and you don't need to deploy resources across regions
For more information on availability sets, please go ahead and visit the below URL